Class Readings

Edit 119

Threat Environment:

  1. Click Here to Kill Everyone,
    The Internet of ThingsDangerous Future.pdf
    (Bruce Schneir, NYMAG.com January 27, 2017)
  2. Everyone's been hacked, now what? (Kim Zetter, Wired 05-04-12)
  3. Hack Back (A DIY anatomy of a hack)

Threat Environment (Optional):

  1. I am calling you from Windows Tech Support (Bruce Schnier)(Nate Anderson, Ars Technica, 10-12-2012)

Aaron Swartz:

  1. Here and Now segment on the MIT/JSTOR exploit (July, 2011)
  2. JSTOR - Open Access Advocate is Arrested for Huge Download NY Times, July, 2011)
  3. More on the JSTOR crime from an expert witness (Boing Boing, January, 2013)
  4. More Aaron Swartz

IT Controls and SOX Readings:

When reading these articles focus on the thesis and findings, some of them use pretty esoteric statistics and this isn't a Ph.D. seminar so I'm not going to focus on that and you shouldn't either.

  1. Information Security and Sarbanes-Oxley Compliance: An Exploratory Study (Wallace, 2011)
    Journal of Information Systems 2011 Wallace.pdf
    59414945.pdf
    (this is the same file in case the first one does not print, if so use this one).
  2. SOX 404 reported internal control weaknesses: A test of COSO framework components and information technology (Klamm, 2009)
    Journal of Information Systems 2009 Klamm.pdf
  3. The effect of IT controls on financial reporting (Grant, 2008)
    Managerial Auditing Journal 2008 Grant.pdf
  4. IT internal control weaknesses and firm performance: An organizational liability lens (Stoel, 2011)
    International Journal of Accounting Information Systems 2011 Stoel.pdf
  5. THE CONSEQUENCES OF INFORMATION TECHNOLOGY CONTROL WEAKNESSES ON MANAGEMENTINFORMATION SYSTEMS: THE CASE OF SARBANES-OXLEY INTERNAL CONTROL REPORTS. (Li, Peters, Richardson,Weidenmier, 2012)
    MIS Quarterly 2012 Li.pdf

Optional Additional Readings:

  1. PWC Eye of the Storm: Key findings from the 2012 Global State of Information Security Survey:
    PwC_GSISS-2.pdf
  2. IT control weaknesses undermine the information value chain (Klamm, 2011).
    2011 Klamm.pdf
  3. From Phishing to Advanced Persistent Threats: The application of Cybercrime Risk to the Enterprise Risk Management Model
    2010 Moore.pdf
  4. A content Analysis of auditors reports on IT internal control weaknesses... (Boritz, Hayes, and Lim, 2013) ,
    Table1.pdf

Cryptography Readings:

Digital Certificates and Certificate Authority Readings:

  1. Encryption Working Group Final Report
    20161220EWGFINALReport.pdf

(Public/Private Key)

  1. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (Rivest, Shamir & Adleman, 1983)
    1983 Rivest.pdf
    - This is the seminal article explaining public/private key encryptions, it's a bit technical so just scan it and don't worry about the math but try to understand it conceptually.
  2. Security by Obscurity(Bruce Schneier, May 15, 2012 - Now referred to as Obscurity is no Security)

Password Readings:


pants-poster.png

Password Vulnerabilities:


  1. Why Passwords have never been weaker and crackers never stronger (Dan Goodin, Ars Technica, August 20, 2012)

Storing Passwords:


  1. A Salt-free diet is bad for your security(Agilebits Blog, June 6, 2012)
  2. ARS was Hacked (read the comments as well)
  3. Threshold Cryptography (RSA Password storage) RSA white paper

Password Usage:


  1. Improving information security management: An analysis of ID–password usage and a new login vulnerability measure (Bang, et al, 2012)
    International Journal of Information Management 2012 Bang.pdf
  2. Of Passwords and People:
    2011 Komanduri.pdf
    (2011); (Summary by ArsTechnica, June 2013)
    password-complexity-rules-more-annoying-less-effective-than-length-ones.pdf

Why do we keep making the same password mistakes?:


  1. Why it Pays to Submit to Hackers (Wired.com, Ryan Tate, August, 2012)
  2. How to get Hacked in 5 easy steps (David Pouge, Yahoo Tech - this one's funny to read).

New Kinds of Authentication/Better Passwords:


  1. Active Authentication (the future?) Slides from DARPA:
    Active Authentication Performer Day v4 slides.pdf
  2. Learn a password subconsciously (Extreme Tech, July 19, 2012)
  3. Choosing Secure Passwords
  4. Beyond Passwords
  5. Video Clip of Talk mentioned in Article:

How Many Logins/Unique:
How many logins do you have usernamepassword-MzY1NDgwMjg3.xls


Software Security Readings:

  1. The Buffer Overflow
  3. SQL Injection
  5. Patch Compliance

Incident Response Readings:

  1. CF Disclosure Guidance: Topic No. 2 S.E.C. (This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents)
  2. The Future of Incident Response, by Bruce Schneier

SEC Readings:

    1. Cyberattack's abound yet companies tell SEC losses are few By Chris Strohm, Eric Engleman and Dave Michaels - Apr 3, 2013)
    2. Companies Hacked by Chinese Didn’t Disclose Attacks to Investors By By Chris Strohm, Dave Michaels and Sonja Elmquist - May 21, 2014)
    3. SEC Cybersecurity Roundtable Archive Webcast
    4. SEC OCIE Cybersecurity Initiative (April 15, 2014)
      Cybersecurity Risk Alert & Appendix - 4.15.14.pdf